3 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 3/98 Problems with Skype The network view From a network security administrator point of view Almost everything is obfuscated (looks like /dev/random) Peer to peer architecture many peers no clear identification of the destination peer Automatically reuse proxy credentials Traffic even when the software is not used (pings, relaying) = Impossibility to distinguish normal behaviour from information exfiltration (encrypted traffic on strange ports, night activity) = Jams the signs of real information exfiltration

4 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 4/98 Problems with Skype The system view From a system security administrator point of view Many protections Many antidebugging tricks Much ciphered code A product that works well for free (beer)?! From a company not involved on Open Source?! = Is there something to hide? = Impossible to scan for trojan/backdoor/malware inclusion

5 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 5/98 Problems with Skype Some legitimate questions The Chief Security Officer point of view Is Skype a backdoor? Can I distinguish Skype s traffic from real data exfiltration? Can I block Skype s traffic? Is Skype a risky program for my sensitive business?

7 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 7/98 Problems with Skype Context of our study Our point of view We need to interoperate Skype protocol with our firewalls We need to check for the presence/absence of backdoors We need to check the security problems induced by the use of Skype in a sensitive environment

9 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 9/98 Encryption Binary packing Code integrity checks Anti debugging technics Code obfuscation Avoiding static disassembly Some parts of the binary are xored by a hard-coded key In memory, Skype is fully decrypted Skype Binary Decryption Procedure: Each encrypted part of the binary will be decrypted at run time. Clear part Encrypted part

17 Semi polymorphic checksumers Binary packing Code integrity checks Anti debugging technics Code obfuscation Interesting characteristics Each checksumer is a bit different: they seem to be polymorphic They are executed randomly The pointers initialization is obfuscated with computations The loop steps have different values/signs Checksum operator is randomized (add, xor, sub,...) Checksumer length is random Dummy mnemonics are inserted Final test is not trivial: it can use final checksum to compute a pointer for next code part. Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 17/98

20 How to get the computed value Binary packing Code integrity checks Anti debugging technics Code obfuscation Solution 1 Put a breakpoint on each checksumer Collect all the computed values during a run of the program J Software breakpoints change the checksums ² We only have 4 hardware breakpoints = Twin processes debugging Solution 2 Emulate the code Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 20/98

21 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 21/98 Twin processes debugging Binary packing Code integrity checks Anti debugging technics Code obfuscation 1 Put software breakpoints on every checksumers of one process 2 Run it until it reaches a breakpoint 3 Put 2 hardware breakpoints before and after the checksumer of the twin process 4 Use the twin process to compute the checksum value 5 Write it down 6 Report it into the first process and jump the checksumer 7 Go to point 2

34 Binary protection: Anti debuggers Binary packing Code integrity checks Anti debugging technics Code obfuscation Solution The random memory page is allocated with special characteristics So breakpoint on malloc(), filtered with those properties in order to spot the creation of this page We then spot the pointer that stores this page location We can then put an hardware breakpoint to monitor it, and break in the detection code Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 32/98

46 Skype Network Obfuscation Layer The seed to RC4 key engine Skype network obfuscation Low level data transport Thought it was over? How to speak Skype Problem 2: What is the seed to RC4 key engine? It is not an improvement of the flux capacitor It is a big fat obfuscated function It was designed to be the keystone of the network obfuscation RC4 key is 80 bytes, but there are at most 2 32 different keys It can be seen as an oracle We did not want to spend time on it = we parasitized it Note: RC4 is used for obfuscation not for privacy Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 44/98

47 Skype Network Obfuscation Layer The seed to RC4 key engine Skype network obfuscation Low level data transport Thought it was over? How to speak Skype Parasitizing the seed to RC4 key engine We injected a shellcode that 1 read requests on a UNIX socket 2 fed the requets to the oracle function 3 wrote the answers to the UNIX socket Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 45/98

53 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 51/98 Object lists Skype network obfuscation Low level data transport Thought it was over? How to speak Skype An object can be a number, a string, an IP:port, or even another object list Each object has an ID Skype knows which object corresponds to which command s parameter from its ID Object List List size Number IP:port List of numbers String RSA key

55 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 53/98 For P in packets: zip P Skype network obfuscation Low level data transport Thought it was over? How to speak Skype Packet compression Each packet can be compressed The algorithm used: arithmetic compression Zip would have been too easy Principle Close to Huffman algorithm Reals are used instead of bits

56 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 54/98 Arithmetic compression Example Skype network obfuscation Low level data transport Thought it was over? How to speak Skype [0, 1] is splited in subintervals for each symbol according to their frequency We encode ACAB. First symbol is A. We subdivise its interval Then comes C Then A again Then B Each real enclosed into this small interval can encode ACAB 0 A 0.5 B C 1

57 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 54/98 Arithmetic compression Example Skype network obfuscation Low level data transport Thought it was over? How to speak Skype [0, 1] is splited in subintervals for each symbol according to their frequency We encode ACAB. First symbol is A. We subdivise its interval Then comes C Then A again Then B Each real enclosed into this small interval can encode ACAB 0 A 0.5 B C 1

58 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 54/98 Arithmetic compression Example Skype network obfuscation Low level data transport Thought it was over? How to speak Skype [0, 1] is splited in subintervals for each symbol according to their frequency We encode ACAB. First symbol is A. We subdivise its interval Then comes C Then A again Then B Each real enclosed into this small interval can encode ACAB 0 A 0.5 B C 1 A

59 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 54/98 Arithmetic compression Example Skype network obfuscation Low level data transport Thought it was over? How to speak Skype [0, 1] is splited in subintervals for each symbol according to their frequency We encode ACAB. First symbol is A. We subdivise its interval Then comes C Then A again Then B Each real enclosed into this small interval can encode ACAB 0 A 0.5 B C 1 A C

60 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 54/98 Arithmetic compression Example Skype network obfuscation Low level data transport Thought it was over? How to speak Skype [0, 1] is splited in subintervals for each symbol according to their frequency We encode ACAB. First symbol is A. We subdivise its interval Then comes C Then A again Then B Each real enclosed into this small interval can encode ACAB 0 A 0.5 B C 1 A C A

61 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 54/98 Arithmetic compression Example Skype network obfuscation Low level data transport Thought it was over? How to speak Skype [0, 1] is splited in subintervals for each symbol according to their frequency We encode ACAB. First symbol is A. We subdivise its interval Then comes C Then A again Then B Each real enclosed into this small interval can encode ACAB 0 A 0.5 B C 1 A C A

62 Reals here encode ACAB Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 54/98 Arithmetic compression Example Skype network obfuscation Low level data transport Thought it was over? How to speak Skype [0, 1] is splited in subintervals for each symbol according to their frequency We encode ACAB. First symbol is A. We subdivise its interval Then comes C Then A again Then B Each real enclosed into this small interval can encode ACAB 0 A 0.5 B C 1 A C A

64 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 56/98 How to speak Skype Skype network obfuscation Low level data transport Thought it was over? How to speak Skype Skypy, the Scapy add-on We developed an add-on to Scapy from the binary specifications It uses the Oracle Revelator shellcode and a TCP UNIX relay to de-obfuscate datagrams It can reassemble and decode obfuscated TCP streams It can assemble Skype packets and speak Skype

77 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 65/98 Phase 0: Hypothesis Analysis of the login phase Playing with Skype Traffic Nice commands Trusted data Each message signed by one of the Skype modulus is trusted The client and the Login server have a shared secret: a hash of the password

78 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 66/98 Phase 1: Key generation Analysis of the login phase Playing with Skype Traffic Nice commands Session parameters When a client logs in, Skype will generate two 512 bits length primes This will give 1024 bits length RSA private/public keys Those keys represent the user for the time of his connection The client generates a symetric session key K

79 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 67/98 Phase 2: Authentication Analysis of the login phase Playing with Skype Traffic Nice commands Key exchange The client hashes its login \nskyper\n password with MD5 The client ciphers its public modulus and the resulting hash with K The client encrypts K using RSA with one of the trusted Skype modulus He sends the encrypted session key K and the ciphered data to the login server

81 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 69/98 Phase 3: Running Analysis of the login phase Playing with Skype Traffic Nice commands Session behavior If the hash of the password matches, the login associated with the public key is dispatched to the supernodes This information is signed by the Skype server. Note that private informations are signed by each user. Search for buddy If you search for a login name, a supernode will send back this couple You receive the public key of the desired buddy The whole packet is signed by a Skype modulus

82 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 70/98 Phase 4: Communicating Analysis of the login phase Playing with Skype Traffic Nice commands Inter client session Both clients public keys are exchanged Those keys are signed by Skype authority Each client sends a 8 bytes challenge to sign Clients are then authenticated and can choose a session key

84 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 72/98 Detecting Skype Traffic Analysis of the login phase Playing with Skype Traffic Nice commands Some ideas to detect Skype traffic without deobfuscation Most of the traffic is crypted...but not all. UDP communications imply clear traffic to learn the public IP TCP communications use the same RC4 stream twice!

85 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 73/98 Detecting Skype Traffic TCP traffic Analysis of the login phase Playing with Skype Traffic Nice commands TCP stream begin with a 14 byte long payload From which we can recover 10 bytes of RC4 stream RC4 stream is used twice and we know 10 of the 14 first bytes Seed crypted stream 1 crypted stream 2 known cleartext

86 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 73/98 Detecting Skype Traffic TCP traffic Analysis of the login phase Playing with Skype Traffic Nice commands TCP stream begin with a 14 byte long payload From which we can recover 10 bytes of RC4 stream RC4 stream is used twice and we know 10 of the 14 first bytes Seed crypted stream 1 crypted stream 2 RC4 stream (10 bytes) known cleartext

89 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 75/98 Detecting Skype Traffic Blocking UDP traffic Analysis of the login phase Playing with Skype Traffic Nice commands On the use of NAck packets... The very first UDP packet received by a Skype client will be a NAck This packet is not crypted This packet is used to set up the obfuscation layer Skype can t communicate on UDP without receiving this one How to block Skype UDP traffic with one rule iptables I FORWARD p udp m length length 39 m u32 \ u32 27&0 x8f =7 u32 31=0x527c4833 j DROP

90 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 76/98 Blocking Skype Analysis of the login phase Playing with Skype Traffic Nice commands Skype can t work without a TCP connection But Skype can work without UDP = Blocking UDP is not sufficient

91 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 77/98 Blocking Skype Analysis of the login phase Playing with Skype Traffic Nice commands We did not find any command to shutdown Skype But if we had a subtle DoS to crash the communication manager... =... we could detect and replace every NAck by a packet triggering this DoS

92 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 77/98 Blocking Skype Analysis of the login phase Playing with Skype Traffic Nice commands We did not find any command to shutdown Skype But if we had a subtle DoS to crash the communication manager... =... we could detect and replace every NAck by a packet triggering this DoS

98 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 83/98 Skype Network Analysis of the login phase Playing with Skype Traffic Nice commands Supernodes Each skype client can relay communications to help unfortunates behind a firewall When a skype client has a good score (bandwidth+no firewall+good cpu) he can be promoted to supernode Slots and blocks Supernodes are grouped by slots You usually find 9 or 10 supernodes by slot You have 8 slots per block

99 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 84/98 Who are the supernodes? Analysis of the login phase Playing with Skype Traffic Nice commands Just ask Each supernode knows almost all other supernodes This command actually ask for at most 100 supernodes from slot 201 >>> sr1(ip(dst=" ")/udp(sport=31337,dport=4344)/skype_sof( id=randshort())/skype_enc()/skype_cmd(cmd=6, reqid=randshort(), val=skype_encod(encod=0x41)/skype_objects_set(objnb=2) /Skype_Obj_Num(id=0,val=201)/Skype_Obj_Num(id=5,val=100))) Nowadays there are 2050 slots That means 20k supernodes in the world

100 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 85/98 Where are the supernodes? Analysis of the login phase Playing with Skype Traffic Nice commands

101 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 86/98 Analysis of the login phase Playing with Skype Traffic Nice commands Parallel world: build your own Skype Private Network Skype is linked to the network because it contains: hard-coded RSA keys Skype servers IP/PORT Skype Supernodes IP/PORT Make your own network? Generate your own 13 moduli Build a login server with a big database to store users passwords And burn a new binary! Job s done You are the head of a new world wide P2P network

102 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 87/98 Dark network is not enough Analysis of the login phase Playing with Skype Traffic Nice commands Dr Evil, your network is not wide enough! The use of relay manager is not authenticated Your Supernode can request official network relay managers...and feed your own nodes with them Skype network Stolen relay manager Dr Evil network

103 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 88/98 Skype Voice Interception Feasability of a man in the middle attack Analysis of the login phase Playing with Skype Traffic Nice commands You are Skype Inc: You are the certificate authority You can intercept and decrypt session keys Job s done. You are not Skype Inc: Build your own Skype Private Network Lure your victim into using your modified Skype version You can intercept and decrypt session keys Job s done.

106 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 91/98 Heap overflow Analysis of the login phase Playing with Skype Traffic Nice commands How to exploit that? If NUM = 0x , the multiplication by 4 will overflow : 0x = 0x So Skype will allocate 0x bytes But it will read NUM integers = Skype will overflow the heap

107 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 92/98 Heap overflow Analysis of the login phase Playing with Skype Traffic Nice commands Good exploit In theory, exploiting a heap on Windows XP SP2 is not very stable But Skype has some Oriented Object parts It has some structures with functions pointers in the heap If the allocation of the heap is close from this structure, the overflow can smash function pointers And those functions are often called = Even on XP SP2, the exploit is possible

108 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 93/98 Heap overflow Analysis of the login phase Playing with Skype Traffic Nice commands Design of the exploits We need the array object to be decoded It only needs to be present in the object list to be decoded We can use a string object in the same packet to store the shellcode String objects are stored in a static place (almost too easy)

113 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 96/98 Conclusion Good points Skype was made by clever people Good use of cryptography Bad points Hard to enforce a security policy with Skype Jams traffic, can t be distinguished from data exfiltration Incompatible with traffic monitoring, IDS Impossible to protect from attacks (which would be obfuscated) Total blackbox. Lack of transparency. No way to know if there is/will be a backdoor Fully trusts anyone who speaks Skype.

114 Philippe BIONDI, Fabrice DESCLAUX Silver Needle in the Skype 97/98 Conclusion Ho, I almost forgot... h Caution Never ever type /eggy prayer or /eggy Those men who tried aren t here to speak about what they saw...

Programming from the Ground Up Jonathan Bartlett Edited by Dominick Bruno, Jr. Programming from the Ground Up by Jonathan Bartlett Edited by Dominick Bruno, Jr. Copyright 2003 by Jonathan Bartlett Permission

How To Write Shared Libraries Ulrich Drepper drepper@gmail.com December 10, 2011 1 Preface Abstract Today, shared libraries are ubiquitous. Developers use them for multiple reasons and create them just

IT Administrators Guide Skype for Windows version 4.2 Version 2.0 Copyright Skype Limited 2010 Overview Skype lets your business work the way you want to, whatever the message, wherever people are. This

Secure Over the Air (OTA) Management Of Mobile Applications Dinakaran Rajaram KTH-Royal Institute of Technology School Of Information and Communication Technology Communication Systems Master of Science

Special Publication 800-41 Revision 1 Guidelines on Firewalls and Firewall Policy Recommendations of the National Institute of Standards and Technology Karen Scarfone Paul Hoffman NIST Special Publication

All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, Thanassis Avgerinos, David Brumley Carnegie Mellon University